HTTP Request Splitting (also known as HTTP Request Smuggling) is an attack
pattern where an attacker attempts to insert additional HTTP requests in the
body of the original (enveloping) HTTP request in such a way that the
browser interprets it as one request but the web server interprets it as
two.
There are several ways to perform HTTP request splitting attacks. One way
is to include double Content-Length headers in the request to exploit the
fact that the devices parsing the request may each use a different header.
Another way is to submit an HTTP request with a "Transfer Encoding: chunked"
in the request header set with setRequestHeader to allow a payload in the
HTTP Request that can be considered as another HTTP Request by a subsequent
parsing entity. A third way is to use the "Double CR in an HTTP header"
technique. There are also a few less general techniques targetting specific
parsing vulnerabilities in certain web servers.
Attack Execution Flow
Explore
Investigate Target
Environment:
Determine the technologies used in the target
environment such as types of browsers, web servers,
application firewalls, proxies, etc.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Investigation of the target environment to
determine the types of technologies used to parse
the incoming HTTP requests. Attempt to understand
how HTTP Request headers are parsed
env-Web
Exploit
Post a malicious HTTP
Request:
Post a malicious HTTP request that will be
interpreted as multiple HTTP requests when parsed on
the server
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Post a malicious HTTP Request utilizing
double CR/LF characters in HTTP header to cause
request splitting
env-Web
2
Post a malicious HTTP Request utilizing
"Transfer Encoding: chunked" in the request header
to cause request splitting
env-Web
3
Post a malicious HTTP Request utilizing
double Content-Length headers to cause request
splitting
env-Web
Attack Prerequisites
User-manipulatable HTTP Request headers are processed by the web
server
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Protocol Manipulation
Injection
Analysis
Examples-Instances
Description
Microsoft Internet Explorer versions 5.01 SP4 and prior, 6.0 SP2 and
prior, and 7.0 contain a vulnerability that could allow an
unauthenticated, remote attacker to conduct HTTP request splitting and
smuggling attacks.
The vulnerability is due to an input validation error in the browser
that allows attackers to manipulate certain headers to expose the
browser to HTTP request splitting and smuggling attacks. Attacks may
include cross-site scripting, proxy cache poisoning, and session
fixation. In certain instances, an exploit could allow the attacker to
bypass web application firewalls or other filtering devices.
Microsoft has confirmed the vulnerability and released software
updates
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
Good understanding of the HTTP protocol and the parsing mechanisms
employed by various web servers
Resources Required
Low: No specialized equipment is needed
Probing Techniques
Issue HTTP Requests against a target server and examine responses.
Solutions and Mitigations
Make sure to install the latest vendor security patches available for the
web server.
If possible, make use of SSL.
Install a web application firewall that has been secured against HTTP
Request Splitting
Use web servers that employ a tight HTTP parsing process
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
